[TryHackMe][CompTIA_Pentest+][Network_Services]

- 5 mins
TryHackMe CompTIA_Pentest+ Network-based vulnerabilities

Summary:

Learn about, then enumerate and exploit a variety of network services and misconfigurations.

Tasks

Understanding SMB

Question : What does SMB stand for ?

Answer : Server Message Block

Question : What type of protocol is SMB ?

Answer : response-request

Question : What do clients connect to servers using ?

Answer : TCP/IP

Question : What systems does Samba run on ?

Answer : Unix

Enumerating SMB

image

Question : Conduct an nmap scan of your choosing, How many ports are open?

Answer : 3

Question : What ports is SMB running on ?

Answer : 139/445

image

image

Question : Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name ?

Answer : WORKGROUP

image

Question : What comes up as the name of the machine ?

Answer : POLOSMB

image

Question : What operating system version is running ?

Answer : 6.1

image

Question : What share sticks out as something we might want to investigate ?

Answer : profiles

Exploiting SMB

Question : What would be the correct syntax to access an SMB share called “secret” as user “suit” on a machine with the IP 10.10.10.2 on the default port ?

Answer : smbclient //10.10.10.2/secret -U suit -p 445

image

Question : Does the share allow anonymous access ? Y/N ?

Answer : Y

image

image

Question : Great! Have a look around for any interesting documents that could contain valuable information. Who can we assume this profile folder belongs to ?

Answer : John Cactus

image

Question : What service has been configured to allow him to work from home ?

Answer : ssh

image

Question : Okay! Now we know this, what directory on the share should we look in ?

Answer : .ssh

Question : This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us ?

image

Answer : id_rsa

image

image

Question : What is the smb.txt flag ?

Answer : THM{smb_is_fun_eh?}

Understanding Telnet

Question : What is Telnet?

Answer : application protocol

Question : What has slowly replaced Telnet ?

Answer : ssh

Question : How would you connect to a Telnet server with the IP 10.10.10.3 on port 23 ?

Answer : telnet 10.10.10.3 23

Question : The lack of what, means that all Telnet communication is in plaintext ?

Answer : encryption

Enumerating Telnet

image

Question : How many ports are open on the target machine ?

Answer : 1

Question : What port is this ?

Answer : 8012

Question : This port is unassigned, but still lists the protocol it’s using, what protocol is this ?

Answer : tcp

image

Question : Now re-run the nmap scan, without the -p- tag, how many ports show up as open ?

Answer : 0

image

Question : Based on the title returned to us, what do we think this port could be used for ?

Answer : a backdoor

Question : Who could it belong to ? Gathering possible usernames is an important step in enumeration.

Answer : Skidy

Exploiting Telnet

Question : Great! It’s an open telnet connection! What welcome message do we receive ?

Answer : SKIDY'S BACKDOOR.

Question : Let’s try executing some commands, do we get a return on any input we enter into the telnet session ? (Y/N)

Answer : N

image

image

Question : Now, use the command “ping [local THM ip] -c 1” through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)

Answer : Y

image

image

Question : What word does the generated payload start with ?

Answer : mkfifo

image

Question : What would the command look like for the listening port we selected in our payload ?

Answer : nc -lvp 4444

Question : Success! What is the contents of flag.txt ?

Answer : THM{y0u_g0t_th3_t3ln3t_fl4g}

Understanding FTP

Question : What communications model does FTP use ?

Answer : client-server

Question : What’s the standard FTP port ?

Answer : 21

Question : How many modes of FTP connection are there?

Answer : 2

Enumerating FTP

image

Question : How many ports are open on the target machine ?

Answer : 2

Question : What port is ftp running on ?

Answer : 21

image

Question : What variant of FTP is running on it ?

Answer : vsftpd

image

Question : What is the name of the file in the anonymous FTP directory?

Answer : PUBLIC_NOTICE.txt

Question : What do we think a possible username could be ?

Answer : mike

Exploiting FTP

image

Question : What is the password for the user “mike” ?

Answer : password

image

Question : What is ftp.txt?

Answer : THM{y0u_g0t_th3_ftp_fl4g}

Related Posts